You can configure Tableau Server to use Secure Sockets Layer (SSL) encrypted communications on all external HTTP traffic. Setting up SSL ensures that access to Tableau Server is secure and that sensitive information passed between the web browser and the server or Tableau Desktop and the server is protected. Steps on how to configure the server for SSL are described in the topic below; however, you must first acquire a certificate from a trusted authority, and then import the certificate files into Tableau Server. If you are running a Tableau Server cluster and you want to use SSL, see Configure SSL for a Cluster, below, for recommendations.
Acquire an Apache SSL certificate from a trusted authority (for example, Verisign, Thawte, Comodo, GoDaddy). You can also use an internal certificate issued by your company. Wildcard certificates, which allow you to use SSL with many host names within the same domain, are also supported.
Note: Be sure to use a SHA-2 (256 or 512 bit) certificate. All major browsers will display warnings when connecting to SHA-1 certificates. By the end of 2017, it's likely that most browsers will no longer connect to servers that are presenting SHA-1 certificates.
Some browsers will require additional configuration to accept certificates from certain providers. Refer to the documentation provided by your certificate authority.
Place the certificate files in a folder named SSL, parallel to the Tableau Server 10.4 folder. For example:
C:\Program Files\Tableau\Tableau Server\SSL
This location gives the account that's running Tableau Server the necessary permissions for the files. You may need to create this folder.
Open the Tableau Server Configuration Utility by selecting Start > All Programs > Tableau Server 10.4 > Configure Tableau Server on the Start menu.
In the Configuration Tableau Server dialog box, select the SSL tab.
Select Use SSL for server communication and provide the location for each of the following certificate files:
- SSL certificate file—Must be a valid PEM-encoded x509 certificate with the extension .crt.
- SSL certificate key file—Must be a valid RSA or DSA private key file (with the extension .key by convention). If the certificate key file requires a passphrase enter it in the field, SSL certificate key passphrase. (The passphrase you enter will be encrypted while at rest). Alternatively, you can provide a path to a key file that is not passphrase protected.
Note: If you create a certificate key file with a passphrase, you cannot reuse the SSL certificate key for SAML.
- SSL certificate chain file (Optional for Tableau Server, required for Tableau Mobile and Tableau Desktop on the Mac)—Some certificate providers issue two certificates for Apache. The second certificate is a chain file, which is a concatenation of all the certificates that form the certificate chain for the server certificate. All certificates in the file must be x509 PEM-encoded and the file must have a .crt extension (not .pem).
(optional) If you are using SSL for server communication and want to configure SSL communication between Tableau Server and clients using certificates on both the server and clients:
Select Use mutual SSL and automatic login with client certificates.
Note: Tableau Server does not support mutual SSL and SAML together.
In SSL CA certificate file, browse to the location for the certificate file. The SSL CA certificate file must be a valid PEM-encoded x509 certificate with the extension .crt.
Note: If you have multiple trusted Certificate Authorities (CAs) you can copy and paste the entire contents of each CA certificate, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, into a new file, then save the file as CAs.crt. In SSL CA certificate file, browse to the location of this new file.
Click OK. The changes will take effect the next time the server is restarted.
When the server is configured for SSL, it accepts requests to the non-SSL port (default is port 80) and automatically redirects to the SSL port 443.
Note: Tableau Server only supports port 443 as the secure port. It cannot run on a computer where another application is using port 443.
SSL errors are logged in the install directory at the following location. Use this log to troubleshoot validation and encryption issues:
You can configure a Tableau Server cluster to use SSL. If the primary node is the only one running the gateway process (which it does by default), you need to configure SSL only on that node, using the steps described earlier.
A highly available Tableau Server cluster can include multiple gateways, fronted by a load balancer. If you are configuring this type of cluster for SSL, you have the following choices:
Configure the load balancer for SSL: Traffic is encrypted from the client web browsers to the load balancer. Traffic from the load balancer to the Tableau Server gateway processes is not encrypted. No SSL configuration in Tableau Server is required by you. It’s all handled by the load balancer.
Configure Tableau Server for SSL: Traffic is encrypted from the client web browsers to the load balancer, and from the load balancer to the Tableau Server gateway processes. For more information, continue to the following section.
When you want to use SSL on all Tableau Server nodes that run a gateway process, you complete the following steps.
Configure the external load balancer for SSL passthrough.
Or if you want to use a port other than 443, you can configure the external load balancer to terminate the non-standard port from the client. In this scenario, you would then configure the load balancer to connect to Tableau Server over port 443. For assistance, refer to the documentation provided for the load balancer.
Make sure the SSL certificate is issued for the load balancer’s host name.
Configure the initial Tableau Server node for SSL.
Place the same SSL certificate and key file that you used for the initial node on each subsequent Tableau Server node that runs a gateway process. Use the same folder location on all computers.
If you are using mutual SSL, place the SSL CA certificate file in the same location on all computers that run a gateway process.
You do not need to do any additional configuration on the subsequent nodes.
Say you have a cluster that includes a primary Tableau Server node and three worker nodes, with gateway processes running on the primary, Worker 2 and Worker 3. In this situation, you configure the primary Tableau Server for SSL, and then copy the same SSL certificate and key files to Worker 2 and Worker 3, to the same location as on the primary.